The Biden administration issues a cybersecurity call to action for the US water industry amid flood of cyber threats targeting essential systems
This directive (see the official guidance) comes in the wake of revelations that utilities are facing increasingly sophisticated water industry cybersecurity attacks, some linked to state-sponsored actors from Iran and China. These attacks justifiably raise alarms over their potential impact on public health and safety.
In a coordinated effort, a letter dispatched to all US governors (see EPA press office statement) underscores the criticality of the situation. The correspondence, a joint initiative by the White House and the Environmental Protection Agency (EPA), highlights the critical nature of the water sector as a target for cyber adversaries. These attacks threaten to cut off access to vital clean water resources and levy substantial financial burdens on communities caught in the crosshairs.
Addressing Utility Security
To address these pressing concerns, a high-level meeting involving the Environmental, Health, and Homeland Security secretaries is slated for today, March 21st. The gathering aims to deliberate on protective measures essential for securing the nation’s water infrastructure against the backdrop of these cyber threats. Furthermore, the EPA is in the process of establishing a Water Sector Cybersecurity Task Force dedicated to pinpointing vulnerabilities within the system and enhancing protective protocols based on insights gained from the forthcoming discussions.
The gravity of this threat is underscored by the acknowledgment that water and wastewater systems serve as foundational pillars to the well-being and functioning of communities. Yet, many of these critical infrastructures are hampered by limited resources and technological capabilities, making them particularly susceptible to cyber incursions. The advisory from Jake Sullivan, National Security Advisor, and Michael S. Regan, EPA Administrator, to the states was explicit:
“It is imperative that water utilities undergo comprehensive vulnerability assessments and adopt a set of cybersecurity best practices as recommended by the Cybersecurity and Infrastructure Security Agency (CISA).”
The urgency of this matter was further highlighted by recent incidents, including cyberattacks attributed to Iranian-backed hackers. These attackers targeted US water facilities that were secured with merely the default manufacturing passwords on crucial operational technology. Such oversights have prompted a nationwide call for bolstered security measures, exemplified by the US Treasury’s move to sanction individuals linked to the Iranian Armed Forces implicated in these cyber operations.
Adding to the concern is the discovery of Volt Typhoon, a cyber espionage campaign with ties to the Chinese government. Uncovered in February, this operation had successfully infiltrated systems containing sensitive information regarding US drinking water industry infrastructure, posing yet another layer of threat to national security.
These incidents serve as blunt reminders of the vulnerabilities inherent in critical infrastructure sectors and the imperative to adopt more robust cybersecurity measures. For water utilities, the path forward involves implementing fundamental security practices, such as changing default passwords and regularly updating software, and investing in more advanced cybersecurity strategies and solutions, such as microsegmentation tools and protection against zero day attacks.
What Next for Water Industry Cybersecurity?
Adopting platforms that offer comprehensive visibility and real-time threat detection can be a game-changer in this context. By leveraging existing endpoint detection and response (EDR agents), such platforms can extend their protective reach, ensuring continuous monitoring and rapid response to abnormal activities. The water industry must address issues of OT security, protect against becoming a victim of ransomware, and address risk from software supply chain attacks.
A proactive approach will enhance the security of water and wastewater systems and contribute to the resilience of the broader critical infrastructure landscape.
Please see our ‘Empowering Energy and Utilities’ cybersecurity solution brief for more information.
A Clear Signal for the Water Industry
The Biden administration’s call to action is a clear signal of the critical importance of safeguarding the nation’s water systems from cyber threats. By fostering collaboration between federal and state entities and integrating advanced cybersecurity technologies, the United States can fortify its defenses against these evolving threats. The commitment to protecting this essential lifeline underlines a broader national security strategy that prioritizes the safety and well-being of its citizens in the face of cyber adversaries.